summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/libvirt-CVE-2017-1000256.patch84
-rw-r--r--gnu/packages/virtualization.scm6
3 files changed, 3 insertions, 88 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index c75f1f90d8..a0e3f6ebe0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -842,7 +842,6 @@ dist_patch_DATA = \
%D%/packages/patches/libunistring-gnulib-multi-core.patch \
%D%/packages/patches/libusb-0.1-disable-tests.patch \
%D%/packages/patches/libusb-for-axoloti.patch \
- %D%/packages/patches/libvirt-CVE-2017-1000256.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libxcb-python-3.5-compat.patch \
%D%/packages/patches/libxml2-CVE-2016-4658.patch \
diff --git a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
deleted file mode 100644
index d577e1eb50..0000000000
--- a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-Fix CVE-2017-1000256:
-
-https://security.libvirt.org/2017/0002.html
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256
-
-Patch copied from upstream source repository:
-
-https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7
-
-From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001
-From: Daniel P. Berrange <berrange@redhat.com>
-Date: Thu, 5 Oct 2017 17:54:28 +0100
-Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
-
-The default_tls_x509_verify (and related) parameters in qemu.conf
-control whether the QEMU TLS servers request & verify certificates
-from clients. This works as a simple access control system for
-servers by requiring the CA to issue certs to permitted clients.
-This use of client certificates is disabled by default, since it
-requires extra work to issue client certificates.
-
-Unfortunately the code was using this configuration parameter when
-setting up both TLS clients and servers in QEMU. The result was that
-TLS clients for character devices and disk devices had verification
-turned off, meaning they would ignore errors while validating the
-server certificate.
-
-This allows for trivial MITM attacks between client and server,
-as any certificate returned by the attacker will be accepted by
-the client.
-
-This is assigned CVE-2017-1000256 / LSN-2017-0002
-
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
----
- src/qemu/qemu_command.c | 2 +-
- .../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +-
- ...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
-index 9a27987..ae78cd1 100644
---- a/src/qemu/qemu_command.c
-+++ b/src/qemu/qemu_command.c
-@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
- if (virJSONValueObjectCreate(propsret,
- "s:dir", path,
- "s:endpoint", (isListen ? "server": "client"),
-- "b:verify-peer", verifypeer,
-+ "b:verify-peer", (isListen ? verifypeer : true),
- NULL) < 0)
- goto cleanup;
-
-diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
-index 5aff773..ab5f7e2 100644
---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
-+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
-@@ -26,7 +26,7 @@ server,nowait \
- localport=1111 \
- -device isa-serial,chardev=charserial0,id=serial0 \
- -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
--endpoint=client,verify-peer=no \
-+endpoint=client,verify-peer=yes \
- -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
- tls-creds=objcharserial1_tls0 \
- -device isa-serial,chardev=charserial1,id=serial1 \
-diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
-index 91f1fe0..2567abb 100644
---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
-+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
-@@ -31,7 +31,7 @@ localport=1111 \
- data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
- keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
- -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
--endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
-+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
- -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
- tls-creds=objcharserial1_tls0 \
- -device isa-serial,chardev=charserial1,id=serial1 \
---
-1.7.1
-
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 184ba0155c..d9fae08b25 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;; Copyright © 2017 Andy Patterson <ajpatter@uwaterloo.ca>
;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -329,15 +330,14 @@ manage system or application containers.")
(define-public libvirt
(package
(name "libvirt")
- (version "3.7.0")
+ (version "3.10.0")
(source (origin
(method url-fetch)
(uri (string-append "https://libvirt.org/sources/libvirt-"
version ".tar.xz"))
- (patches (search-patches "libvirt-CVE-2017-1000256.patch"))
(sha256
(base32
- "1fk75cdzg59y9hnfdpdwv83fsc1yffy3lac4ch19zygfkqhcnysf"))))
+ "03kb37iv3dvvdlslznlc0njvjpmq082lczmsslz5p4fcwb50kwfz"))))
(build-system gnu-build-system)
(arguments
`(;; FAIL: virshtest